Recommended Reading

Configuring OneLogin

Search for Mimecast or locate the Mimecast apps in the Security category.

Click add for the Administration Console or for Mimecast Personal Portal.

Enter a suitable display name that will be displayed to your users.

Configure the additional options as applicable:

Select Continue.

Enter the Configuration section.

Select the Mimecast service where your Mimecast account is located. Do notclick update yet.

Select the Single Sign-on tab and copy the Issuer URL. Please ensure that you select Email as the Default values entry, as Mimecast requires users to logon using their primary email address. Do not click update yet.

Enter the Access Control and Logins sections, ensuring you configure the apps for the appropriate users before you click Update.

A separate app needs to be created for the Administration Console and Mimecast Personal Portal.

Create an Authentication Profile

Login to the Administration Console, navigate to the Services | Applications menu, and select the Authentication Profiles button.

Select an existing Authentication Profile or select the New Authentication Profile button.

Alternatively, you can specify the values manually by visiting the Issuer URL and downloading the metadata. Open the downloaded file and configure the Authentication Profile using the details found on the downloaded metadata:

Enter the Entity ID URL as the Issuer URL in Mimecast.

Enter the HTTP-POST URL as the Login URL in Mimecast.

Enter the Logout URL in Mimecast. Most commonly this is the URL you get re-directed to when you log out of our Identity Provider (IdP).

Enter the ds:X509Certificate as the Identity Provider Certificate (Metadata) in Mimecast.

In the Admin IP Ranges text box, enter the public IP address ranges you want to restrict access to in CIDR format, one range per line.

To configure Permitted IP Ranges for End User Applications:

Login to the Administration Console.

Navigate to the Services | Applications menu.

Select the Authentication Profiles button.

To edit an existing Authentication Profile select it from the list. Alternatively, to create a new profile select the New Authentication Profile button.

Select the check box to enable Permitted Application Login IP Ranges.

In the Permitted Application Login IP Ranges text box enter the public IP address ranges you want to restrict access to in CIDR format, one range per line.

Select Save and Exit to apply the new settings.

To configure Permitted IP Ranges for Gateway authentication using SMTP or POP:

Login to the Administration Console.

Navigate to the Services | Applications menu.

Select the Authentication Profiles button.

To edit an existing Authentication Profile select it from the list. Alternatively, to create a new profile select the New Authentication Profile button.

Select the check box to enable Permitted Gateway Login IP Ranges.

In the Permitted Gateway Login IP Ranges text box enter the public IP address ranges you want to restrict access to in CIDR format, one range per line.

Select Save and Exit to apply the new settings.

Other options

An Authentication Profile is applied to a group of users.A given user can only have one effective profile at a given time. Consequently you may want to add additional authentication options to your Authentication Profile.

Apply the Authentication Profile to an Application Setting

Once your Authentication Profile is complete, you need to reference it in an Application Setting in order for it to be applied. To do this:

Login to the Administration Console.

Navigate to the Services | Applications menu

Select the Application Setting that you want to use.

Use the Lookup button to find the Authentication Profile you want to reference and click the Select link on the lookup page.

Select Save and Exit to apply the change.

Next Steps

The configuration is now complete and users with this Authentication Profile applied should be redirected to OneLogin when attempting to login to the application(s) that you have enabled SAML Authentication for.

SAML Authentication will be enforced for the address Group configured in the Application Setting, and the email addresses within the Group will only be able to logon to the Mimecast Administration Console and / or Mimecast Personal Portal using SAML. If for any reason your Identity Provider (IdP) is not available or there is an issue with SAML Authentication, the addresses will not be able to logon. Mimecast recommends that you create an emergency non-SAML Authentication logon for the Administration Console that will allow you to update the Authentication Profile configuration if experiencing these issues.